Corporate Misconduct Accountability Project
Chegg, Inc. · Federal Trade Commission Enforcement Action
Chegg Exposed 40 Million Students in Four Data Breaches Over Three Years
The education technology giant ignored basic security practices, leaked sensitive student data including sexual orientation and disabilities, and failed to protect employees from phishing attacks that exposed Social Security numbers and payroll information.
CRITICAL SEVERITY
TL;DR
Between 2017 and 2020, Chegg suffered four separate data breaches that exposed the personal information of approximately 40 million students and 700 employees. The company stored highly sensitive data including religious affiliation, sexual orientation, disabilities, and financial information in plain text without encryption. A former contractor used shared administrator credentials to steal an entire database, and employees repeatedly fell victim to phishing attacks because Chegg provided no security training.
This case shows how companies cut corners on security to maximize profits, leaving students and workers to deal with identity theft and fraud.
40M
Students whose data was exposed in April 2018 breach
25M
Passwords cracked and posted to dark web forums
700
Employees whose W-2 forms and Social Security numbers were stolen
4
Separate data breaches between 2017 and 2020
6 years
Time between first breach and legally binding security fixes
The Allegations: A Breakdown
Core Allegations
What they did · 8 points
| 01 | Chegg shared a single Amazon Web Services master credential among all employees and outside contractors, giving everyone full administrative access to databases containing 40 million users’ personal information. Amazon explicitly warns companies to protect these credentials like credit card numbers and never use them for everyday tasks. | high |
| 02 | The company stored highly sensitive scholarship data in plain text without encryption, including students’ religious denomination, sexual orientation, disabilities, parents’ income range, and heritage. Chegg’s own cybersecurity employee called this information very sensitive in a 2018 internal email. | high |
| 03 | Chegg used the MD5 hash function to protect user passwords until at least April 2018, even though security experts had deprecated this cryptographic method years earlier. When the database was stolen, attackers cracked 25 million of the hashed passwords and posted them in plain text on online forums. | high |
| 04 | The company failed to require multi-factor authentication for access to its databases until at earliest October 2018, allowing attackers who obtained a single password to gain full access to sensitive systems. | high |
| 05 | Chegg did not require employees to complete any data security training until at earliest April 2020, even after employees fell victim to phishing attacks in September 2017, April 2019, and April 2020. | high |
| 06 | The company failed to develop written information security standards, policies, procedures, or practices until January 2021, more than three years after the massive April 2018 breach. | high |
| 07 | Chegg had no policy, process, or procedure for deleting users’ and employees’ personal information after it was no longer necessary, allowing sensitive data to accumulate indefinitely. | medium |
| 08 | The company failed to adequately monitor its networks for unauthorized attempts to transfer personal information outside of its systems, allowing the April 2018 database theft to go undetected. | high |
Regulatory Failures
How the system failed students · 5 points
| 01 | The Federal Trade Commission brought enforcement action only after four separate breaches had already occurred and millions of students’ data was circulating on dark web forums. Regulators arrived years too late to prevent the harm. | high |
| 02 | No federal privacy statute specifically protected the higher education platform users whose data Chegg collected. The company operated in a regulatory vacuum that allowed it to amass sensitive information without corresponding security requirements. | medium |
| 03 | The consent order relies on corporate self-attestation through annual certifications signed by company officers. Chegg’s own employees will declare whether the company is complying with the security requirements. | medium |
| 04 | The FTC order imposes no financial penalty proportionate to Chegg’s market value. The company faces only the cost of implementing security measures it should have had all along, treating compliance as a deferred line item expense. | high |
| 05 | Light-touch oversight allowed Chegg to self-regulate through checkbox privacy policies that promised commercially reasonable security measures while the company shared master passwords and stored sensitive data in plain text. | high |
Profit Over People
Why security took a back seat · 5 points
| 01 | Every security safeguard Chegg skipped, including encryption, credential rotation, and employee training, would have added expense and slowed product rollouts, threatening quarterly growth targets and stock option windfalls for executives. | high |
| 02 | Even after the April 2018 breach exposed 40 million users’ data, Chegg continued to store consumer personal information in plain text in its AWS S3 buckets rather than implementing available encryption. | high |
| 03 | The company collected granular personal attributes including religious affiliation, sexual orientation, and disability status through its scholarship search tool, data that fuels targeted upselling and monetization but also commands high prices on dark web markets when stolen. | high |
| 04 | Chegg hoarded sensitive personal information without implementing policies to delete data after it was no longer necessary, treating student and employee data as a corporate asset to be retained indefinitely. | medium |
| 05 | Amazon Web Services offers server-side encryption for S3 buckets using encryption keys managed by Amazon as part of its standard service. Chegg chose not to use this readily available, relatively low-cost security measure. | high |
Worker Exploitation
Employees as collateral damage · 6 points
| 01 | In September 2017, Chegg employees fell victim to a phishing attack that gave criminals access to direct deposit information, allowing attackers to redirect employee paychecks. The company had not required employees to complete any data security training on identifying phishing attacks. | high |
| 02 | In April 2020, a senior employee responsible for payroll fell for a phishing attack that exposed W-2 forms, birthdates, and Social Security numbers of approximately 700 current and former employees. This was the third phishing incident, yet Chegg still had not required security awareness training. | high |
| 03 | A senior Chegg executive fell victim to a phishing attack in April 2019 that exposed personal information about consumers and employees, including financial and medical information stored in the executive’s email inbox. | high |
| 04 | The executive’s email system was configured in a default state that allowed threat actors to bypass Chegg’s multi-factor authentication requirement. The company failed to properly configure its own systems to protect employee accounts. | high |
| 05 | Workers navigating precarious contractor roles and short-term internships now face identity theft restoration costs including credit freezes, legal consultations, and lost work hours, expenses that amount to unpaid overtime. | medium |
| 06 | Chegg treated employee privacy as expendable overhead, collecting names, dates of birth, Social Security numbers, and financial information without implementing reasonable security to protect it. | medium |
Public Health and Safety
The human cost of data breaches · 5 points
| 01 | Leaked medical information and disability records can lead to stigma, mental distress, and denial of insurance coverage. The Federal Trade Commission specifically identified stigma, embarrassment, and emotional distress as forms of substantial injury caused by the breaches. | high |
| 02 | Students whose sexual orientation was exposed through the scholarship search data face potential discrimination in scholarships, employment, or insurance rates, compounding existing wealth disparities. | high |
| 03 | Data breach stress manifests in anxiety, lost study time, and diminished academic performance, especially for low-income students already battling financial pressures from tuition and loans. | medium |
| 04 | Identity thieves use stolen names, addresses, and Social Security numbers to apply for credit cards in victims’ names. When the thief fails to pay bills, the victim’s credit score suffers, affecting their ability to rent apartments, secure loans, or even get jobs. | high |
| 05 | Medical and financial information is valuable on the dark web, and wrongdoers frequently purchase users’ health information to commit fraud. This stolen information remains a threat for years after a breach occurs. | high |
Community Impact
How the breaches rippled outward · 6 points
| 01 | Forty million learners, many first-generation college students juggling loans and side jobs, now face years of credit monitoring and the threat of scholarship discrimination if their disclosed disabilities or sexual orientation information is misused. | high |
| 02 | Local banks absorb charge-offs on fraudulent accounts opened with stolen identities. Family members co-signing student loans risk damaged credit when identity thieves open accounts in victims’ names. | medium |
| 03 | Universities had to divert IT budgets from classroom technology to incident response, pulling resources away from educational improvements to deal with Chegg’s security failures. | medium |
| 04 | Because people often use the same email addresses and passwords for multiple accounts, the exposure of Chegg credentials opens users to credential stuffing attacks. Threat actors can use the stolen email addresses and cracked passwords to attempt access to users’ financial accounts on other websites. | high |
| 05 | Even if identity theft and fraud do not occur immediately after a breach, exposure of personal information makes identity theft and fraud more likely in the future. The risk persists indefinitely. | medium |
| 06 | Due to Chegg’s failure to monitor its systems and lack of access controls, users’ and employees’ personal information may have been exposed in other instances beyond the four documented breaches, without the company’s knowledge. | high |
Corporate Accountability Failures
How Chegg dodged real consequences · 6 points
| 01 | The FTC consent order imposes multi-factor authentication, annual audits, and 20-year oversight but includes no direct restitution to affected students or financial penalty proportionate to Chegg’s market capitalization. | high |
| 02 | Chegg executives admit no wrongdoing under the settlement and face no loss of bonuses or stock compensation despite overseeing four separate data breaches that exposed 40 million users. | high |
| 03 | The company gets a six-month grace period to implement multi-factor authentication after the January 25, 2023 order, allowing business as usual to continue even after the enforcement action. | medium |
| 04 | Compliance costs become a line item expense for Chegg, likely cheaper than implementing proper encryption and security training would have been back in 2017 when the breaches began. | high |
| 05 | The consent order allows Chegg to decide which data protection laws apply when a student’s jurisdiction has no specific requirements, giving the company discretion over its own regulatory compliance. | medium |
| 06 | Annual compliance certifications will be signed by company officers, the same leadership structure that presided over years of security failures. The company essentially audits itself. | medium |
The PR Machine
How Chegg sold a false sense of security · 5 points
| 01 | From March 2017 to January 2020, Chegg’s privacy policy claimed the company takes commercially reasonable security measures to protect personal information submitted to us, both during transmission and once we receive it. During this entire period, the company was sharing master passwords and storing sensitive data in plain text. | high |
| 02 | From January 2020 to the present, Chegg’s privacy policy stated we take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. The FTC now labels these statements false or misleading. | high |
| 03 | The reassuring privacy policy language masked root credentials passed around like office candy and personal details stored in unencrypted buckets accessible to any employee or contractor. | high |
| 04 | After the September 2018 discovery that stolen data was posted online, Chegg required 40 million users to reset passwords, issued a contrite statement, and continued growth-focused product development while regulators processed paperwork. | medium |
| 05 | Chegg’s crisis response playbook followed classic corporate tactics: force a password reset, publish a blog post, and keep launching new features. By the time the consent order arrived in 2023, the news cycle had moved on. | medium |
Wealth Disparity
Who pays the price · 5 points
| 01 | Chegg monetized granular scholarship search data from students whose average household incomes often fall below national medians, collecting parents’ income ranges, disabilities, and other sensitive attributes to fine-tune marketing algorithms. | high |
| 02 | When the same data trove surfaced on dark web forums, students paid the price through credit monitoring costs, identity theft remediation, and damaged credit scores, while Chegg executives faced no financial penalties. | high |
| 03 | Companies routinely extract value from vulnerable student populations while offloading cybersecurity costs onto them. The wealth gap widens not only through tuition debt but through hidden expenses like credit repair spawned by data leaks. | high |
| 04 | Low-income students already battling wealth disparity bear the greatest risk from leaked scholarship data. Those with the fewest resources face the highest costs for credit freezes, monitoring services, and lost time dealing with fraud. | high |
| 05 | The broader economy absorbs hidden costs that never appear on Chegg’s balance sheet: banks shoulder fraud charge-offs, taxpayers fund regulatory investigations, and universities scramble to reassure students whose credentials intertwine with campus systems. | medium |
Exploiting Delay
How stalling became a profit strategy · 6 points
| 01 | Four distinct breaches hit between September 2017 and April 2020, yet legally binding security fixes did not arrive until the January 25, 2023 consent order, nearly six years after the first payroll hack. | high |
| 02 | After the September 2018 discovery that stolen data was posted online, Chegg implemented some access controls by rotating credentials and creating role-based permissions. But the company allowed all other security failures to persist, including storing consumer data in plain text. | high |
| 03 | Every month Chegg operated without encryption, security training, or multi-factor authentication preserved cash flow and burnished growth metrics while the clock on consumer risk kept ticking. | high |
| 04 | Despite employees falling victim to phishing attacks in September 2017 and April 2019, Chegg still did not require employees to complete security awareness training before the April 2020 phishing attack that exposed 700 workers’ W-2 forms. | high |
| 05 | The consent order grants Chegg six additional months to implement multi-factor authentication after the January 2023 enforcement action, extending the delay tactic even in the face of regulatory intervention. | medium |
| 06 | Under the system as designed, delay itself becomes a defensive moat. Fines and consent decrees are simply line items deferred to a future quarter while profits continue in the present. | high |
The Bottom Line
What this case reveals · 6 points
| 01 | Behind every leaked password sits a student juggling rent, loans, and now identity theft paperwork. Behind each stolen W-2 stands an employee pricing credit freeze fees into an already stretched budget. | high |
| 02 | Chegg did exactly what market incentives encourage: amass lucrative data quickly, spend minimally on unprofitable safeguards, and negotiate reforms only after headlines threaten brand equity. | high |
| 03 | The Federal Trade Commission documented systemic security lapses including plain-text storage, outdated MD5 password hashing, and shared master keys. These failures squarely meet the legal definition of unfair and deceptive practices. | high |
| 04 | The consent order’s 20-year oversight tail signals the severity of the violations. Yet the absence of financial penalties hints that even serious enforcement may be priced in as a cost of doing business. | high |
| 05 | Until enforcement shifts from after-the-fact consent orders to upfront deterrents with meaningful financial consequences, millions more student credentials will dangle as collateral for quarterly earnings targets. | high |
| 06 | The harms students and employees suffered were not reasonably avoidable. Users had no way to know about Chegg’s security shortcomings when they entrusted the company with their most sensitive personal information. | high |
Timeline of Events
September 2017
Employees fall victim to phishing attack; attackers access direct deposit information and redirect paychecks
April 2018
Former contractor uses shared AWS root credential to exfiltrate database containing personal information of 40 million users, including names, passwords, scholarship search data on religion, sexual orientation, and disabilities
September 2018
Threat intelligence vendor informs Chegg that stolen data file is posted on online forum; file contains 25 million passwords cracked into plain text
October 2018
Chegg implements some access controls, rotating credentials and creating role-based permissions, but allows other security failures to persist
April 2019
Senior executive falls victim to phishing attack; threat actor bypasses multi-factor authentication due to misconfigured email system and accesses inbox containing financial and medical information
April 2020
Senior payroll employee falls for phishing attack; threat actor exfiltrates W-2 information including Social Security numbers and birthdates of approximately 700 current and former employees
January 2021
Chegg finally develops and implements written organizational information security standards, policies, and procedures, more than three years after the 40-million-user breach
January 25, 2023
Federal Trade Commission issues complaint and consent order requiring multi-factor authentication, annual security audits, data deletion policies, and 20 years of regulatory oversight
Direct Quotes from the Legal Record
QUOTE 1
Company’s own admission of sensitivity
allegations
“In a 2018 internal email, Chegg’s employee in charge of cybersecurity described the Scholarship Search Data as ‘very sensitive.'”
💡 Chegg’s security chief knew the data was highly sensitive, yet the company stored it in plain text without encryption
QUOTE 2
Amazon’s explicit warnings ignored
allegations
“Amazon had provided public guidance to protect AWS Root Credentials ‘like you would your credit card numbers or any other sensitive secret’ and that Amazon ‘strongly recommend[s] that you do not use the root user for your everyday tasks, even the administrative ones.'”
💡 Chegg violated clear guidance from its cloud provider by sharing master credentials among employees and contractors
QUOTE 3
Scale of the April 2018 breach
allegations
“Using the AWS Root Credentials, the former contractor exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform.”
💡 A single shared password gave one former contractor access to steal the data of 40 million students
QUOTE 4
Outdated encryption exposed passwords
allegations
“Chegg encrypted users’ passwords using the MD5 hash function, a cryptographic function that had been deprecated by experts for years prior to April 2018.”
💡 The company used obsolete security technology that allowed attackers to crack 25 million passwords
QUOTE 5
Continued plain-text storage after breach
allegations
“For example, Chegg continues to store consumer personal information in plain text in its AWS S3 buckets.”
💡 Even after a massive breach exposed the danger, Chegg kept storing sensitive data without encryption
QUOTE 6
No training despite repeated attacks
workers
“Despite Chegg employees falling victim to phishing attacks on at least two prior occasions, Chegg still did not require, in or before April 2020, its employees to complete any data security training, including identifying and appropriately responding to phishing attacks.”
💡 After three phishing attacks in three years, the company still had not trained employees to recognize threats
QUOTE 7
Types of intimate data collected
allegations
“The exposed personal information included the S3 User Data consisting of users’ email addresses, first and last names, passwords, and, for certain Chegg users, their Scholarship Search Data, consisting of their religious denomination, heritage, date of birth, parents’ income range, sexual orientation, and disabilities.”
💡 Chegg collected and exposed the most intimate details of students’ lives, information that can be used for discrimination
QUOTE 8
FTC’s description of consumer harm
health
“Chegg’s failure to provide reasonable security for users’ and employees’ personal information has caused or is likely to cause substantial injury to those users and employees in the form of fraud, identity theft, monetary loss, stigma, embarrassment, emotional distress, and time spent remedying or attempting to prevent any of these potential injuries.”
💡 Regulators documented specific harms including stigma and emotional distress, not just financial losses
QUOTE 9
Dark web market for stolen data
community
“Medical and financial information is valuable on the open market, and wrongdoers frequently seek to purchase users’ financial and health information on the dark web.”
💡 The stolen information has ongoing commercial value to criminals, creating lasting risk for victims
QUOTE 10
Credential stuffing threat
community
“Because people often use the same email addresses and passwords for multiple accounts, exposure of such user credentials open users up to additional attacks by threat actors, including credential stuffing attacks.”
💡 The breach enabled attackers to access victims’ accounts on completely unrelated websites and services
QUOTE 11
Unknown additional exposures
community
“Due to Chegg’s failure to appropriately monitor its systems and lack of access controls and authentication protections for its S3 databases, users’ and employees’ personal information, including health information and financial information, may have been exposed in other instances—beyond the incidents described in Paragraphs 11-15—without Chegg’s knowledge.”
💡 Chegg’s monitoring was so poor that other breaches may have occurred without the company even knowing
QUOTE 12
False privacy promises from 2017-2020
pr_machine
“Chegg takes commercially reasonable security measures to protect the Personal Information submitted to us, both during transmission and once we receive it.”
💡 The privacy policy made explicit promises about security that the company was not keeping
QUOTE 13
Recent false promises
pr_machine
“We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy.”
💡 Even the updated privacy policy contained misleading statements about the company’s security practices
QUOTE 14
Unavoidable harm to users
conclusion
“The harms described in Paragraphs 16-21 were not reasonably avoidable by users or employees, as users had no way to know about Chegg’s information security shortcomings.”
💡 Students and workers had no ability to protect themselves because Chegg hid its security failures
QUOTE 15
Low-cost fixes were available
conclusion
“Chegg could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures. For example, as part of its AWS service, Amazon offers server-side encryption that encrypts data at rest (such as the S3 User Data) using encryption keys managed by Amazon.”
💡 The company had access to easy, affordable security tools but chose not to use them
Frequently Asked Questions
What personal information did Chegg expose in the breaches?
The April 2018 breach exposed names, email addresses, passwords, and dates of birth for approximately 40 million users. For students who used the scholarship search tool, attackers also stole religious denomination, heritage, parents’ income range, sexual orientation, and disability status. Later breaches exposed employee Social Security numbers, W-2 forms, financial information, and medical details.
How did attackers gain access to Chegg’s databases?
A former contractor used a shared Amazon Web Services master credential that Chegg distributed to employees and outside contractors. This single password gave full administrative access to databases containing 40 million users’ information. Other breaches occurred when employees fell victim to phishing emails because Chegg provided no security awareness training.
Why were the passwords so easy to crack?
Chegg used an outdated encryption method called MD5 to protect passwords, a cryptographic function that security experts had deprecated years before 2018. When attackers stole the password database, they were able to crack 25 million of the hashed passwords and post them in plain text on online forums.
What happened to the stolen data?
In September 2018, a threat intelligence vendor found a file containing stolen Chegg data posted on an online forum. The file included approximately 25 million passwords that had been cracked into plain text. Medical and financial information is valuable on dark web markets, where criminals buy and sell stolen personal data to commit identity theft and fraud.
Did Chegg fix the security problems after the first breach?
No. After the April 2018 breach, Chegg implemented some access controls by rotating credentials and creating role-based permissions. However, the company continued to store consumer data in plain text, did not require employee security training until April 2020, and did not develop written security policies until January 2021, more than three years later.
How many times was Chegg breached?
Four separate incidents occurred between September 2017 and April 2020. Three resulted from employees falling victim to phishing attacks, and one resulted from a former contractor using shared master credentials. Regulators warn that due to Chegg’s poor monitoring, other breaches may have occurred without the company’s knowledge.
What penalties did Chegg face?
The Federal Trade Commission consent order requires Chegg to implement multi-factor authentication, conduct annual security audits, adopt data deletion policies, and submit to 20 years of regulatory oversight. However, the order includes no financial penalty and no restitution to affected students or employees. Company executives admit no wrongdoing.
Why is the exposure of sexual orientation and disability information so harmful?
This information can be used to discriminate against students in scholarships, employment, or insurance. The FTC specifically identified stigma, embarrassment, and emotional distress as forms of substantial injury. Students whose intimate details are exposed face risks that extend far beyond financial fraud.
Can the stolen credentials be used to access other accounts?
Yes. Because people often reuse the same email address and password across multiple websites, attackers can use stolen Chegg credentials to attempt credential stuffing attacks on victims’ bank accounts, social media, and other services. This is why regulators identified the breach as creating ongoing risk.
What can students and employees affected by the breaches do?
Check your credit reports for unauthorized accounts and consider placing a credit freeze with the three major credit bureaus. Change passwords on all accounts where you used the same password as your Chegg account. Enable multi-factor authentication wherever available. Monitor financial statements for fraudulent charges. If you were a Chegg employee affected by the W-2 breach, file your taxes early to prevent fraudulent tax returns in your name. Consider identity theft protection services, though affected individuals should not have to bear this cost.
There’s a press release about the repeated data breaches from Chegg on the FTC’s website: https://www.ftc.gov/news-events/news/press-releases/2023/01/ftc-finalizes-order-ed-tech-provider-chegg-lax-security-exposed-student-data
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
